Cybernews has revealed a growing malware campaign targeting Linux users through fake cryptocurrency wallet applications published in the Canonical Snap Store. The malicious apps impersonate popular wallets such as Exodus, Trust Wallet, and Ledger Live, and actively steal cryptocurrency once installed.
According to researchers, attackers continue to refine their tactics. As detection improves, threat actors now rely on more deceptive methods to bypass security checks and appear legitimate.
Attackers Hijack Expired Publisher Domains
Initially, attackers attempted to publish malicious snaps using convincing storefront designs and harmless-looking package names. However, these efforts faced increased scrutiny and takedowns. As a result, attackers shifted to a more advanced technique.
Most recently, threat actors began hijacking expired domain registrations previously linked to legitimate Snap Store publishers. Anchore’s Director of Developer Relations, Alan Pope, identified multiple cases where attackers reused trusted publisher identities to distribute malware.
Notably, domains such as storewise.tech and vagueentertainment.com were repurposed after expiration. This tactic allowed attackers to regain publisher control and upload malicious crypto wallet apps under trusted names.
A Significant Escalation in Supply Chain Abuse
Pope described this shift as a serious escalation in Snap Store abuse. By exploiting abandoned domains, attackers bypass user skepticism and platform trust signals more effectively. Consequently, users may unknowingly install malware believing the app comes from a reputable source.
Moreover, this approach aligns with broader trends affecting open-source ecosystems. Attackers increasingly target package repositories, knowing that developers and users trust official distribution platforms.
Linux Package Ecosystems Under Growing Threat
These findings arrive amid heightened attacks on open-source package ecosystems. Recently, researchers reported self-propagating and highly sophisticated malicious npm packages, underscoring how supply chain attacks continue to evolve across platforms.
Although Linux users historically faced fewer malware threats, this campaign shows that attackers now view Linux desktops and wallets as valuable targets. As cryptocurrency adoption grows, Linux-focused attacks will likely increase.
How Users Can Stay Safe
Security experts strongly advise users to download crypto wallet applications only from official project websites. Verifying publisher ownership and avoiding unofficial builds significantly reduces risk.
Ultimately, this campaign highlights the importance of supply chain security. Even trusted app stores can become attack vectors when abandoned assets fall into the wrong hands.